We all know there are many things to consider when keeping your health plan in compliance. HIPAA’s privacy and security rules are a longstanding compliance requirement that must not be lost in the shuffle. Given the number of data breaches that we’ve heard of in the news this year, we’d like to provide this opportunity for you to refresh your knowledge of the HIPAA requirements that impact your plan, and what your responsibilities are in the event of a breach.
Who must comply with the HIPAA privacy and security rules?
Covered entities and business associates must comply with HIPAA’s privacy and security rules. A covered entity is a health plan (including insurance companies and group health plans), healthcare provider or healthcare clearinghouse. Self-insured group health plans with fewer than 50 participants are not covered entities if they are administered in-house. Plan sponsors are also not considered covered entities; however, HIPAA’s privacy and security rules apply to the transfer of information from the health plan to the plan sponsor.
Business associates are third parties that provide services to covered entities that require the use or disclosure of Protected Health Information (PHI). HIPAA requires there to be a written contract between business associates and the health plan or other covered entity that establishes the scope of services and the business associate’s obligations to the PHI to be accessed, used, created or maintained on behalf of that covered entity as part of those services.
What information does the HIPAA privacy and security rules protect?
HIPAA protects PHI, which includes individually identifiable information, such as names, addresses, birthdays and Social Security numbers that can be used to identify an individual, provided it is paired with any of the following information:
- The individual’s past, present or future physical or mental health condition
- The provision of healthcare to the individual
- The past, present or future payment for the provision of healthcare to the individual
If a breach occurs, who must provide notice to the impacted individuals?
If PHI is accessed or transmitted in a non-permissible way, a breach notice must be issued to impacted individuals. If a plan is self-insured, the duty to issue a HIPAA breach notice lies with the plan because the group health plan is the covered entity and the Third Party Administrator (TPA) is the business associate. If a covered entity engages a business associate to help it carry out its healthcare activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA rules. A TPA may issue the notice if they have been contracted to do so, but the covered entity will remain liable. If a plan is fully insured, the duty to issue a HIPAA notice lies with the entity where the breach occurred, either the insurer or the health plan.
What are the requirements of the notice?
In the event of a breach, HIPAA requires that the covered entity notify each individual whose PHI was breached no later than 60 days after discovering the breach. If the breach impacts 500 or more people, then the covered entity must also notify the Department of Health and Human Services (HHS). If the breach impacts 500 people or more in the same state, then the notice must also be provided to prominent media outlets.
Notices must be sent through first class mail and must contain the following information:
- Date of the discovery of the breach
- Date of the breach itself if known
- A description of the breach
- Information regarding how the individuals may protect themselves
- Information regarding what the covered entity is doing to mitigate the problem
- Contact information for the covered entity
What are the penalties for a HIPAA breach?
The potential penalties for non-compliance with HIPAA’s privacy and security rules are summarized in the chart below.
|Violation Type||Each Violation||Annual Penalty Cap|
|Did not know||$100-$50,000||$1.5 million|
|Reasonable cause||$1,000-$50,000||$1.5 million|
|Willful neglect—corrected||$10,000-$50,000||$1.5 million|
|Willful neglect—not corrected||50,000- no limit||$1.5 million|
How can plan sponsors avoid a HIPAA violation?
Plan sponsors can help protect themselves from a HIPAA violation by ensuring that their privacy and security policies and procedures are up-to-date and being followed. Plan sponsors may also perform risk assessments to identify areas of vulnerability and create risk management plans. They should also be sure that their contracts with business associates specify each party’s responsibilities in the event of a data breach.
If you have any questions, please contact your client solutions team.
Compliance Quarterly is being provided as an informational tool. It is recommended that plans consult with their own experts or counsel to review all applicable federal and state legal requirements that may apply to their group health plan. By providing this publication and any attachments, Meritain Health is not exercising discretionary authority over the plan and is not assuming a plan fiduciary role, nor is Meritain Health providing legal advice.